feat: add annotation to allow to add custom response headers (#9742)

* add custom headers

Signed-off-by: Christian Groschupp <christian@groschupp.org>

* add tests

Signed-off-by: Christian Groschupp <christian@groschupp.org>

* add docs

* update copyright

* change comments

* add e2e test customheaders

* add custom headers validation

* remove escapeLiteralDollar filter

* validate value in custom headers

* add regex for header value

* fix annotation test

* Revert "remove escapeLiteralDollar filter"

This reverts commit ab48392b60dee4ce146a4c17e046849f9633c7fb.

* add annotationConfig

* fix test

* fix golangci-lint findings

* fix: add missung exp module

---------

Signed-off-by: Christian Groschupp <christian@groschupp.org>

internal/ingress/annotations/annotations.go

@@ -20,6 +20,7 @@ import (
 	"dario.cat/mergo"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/canary"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/customheaders"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/disableproxyintercepterrors"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/opentelemetry"
@@ -82,6 +83,7 @@ type Ingress struct {
 	Canary                      canary.Config
 	CertificateAuth             authtls.Config
 	ClientBodyBufferSize        string
+	CustomHeaders               customheaders.Config
 	ConfigurationSnippet        string
 	Connection                  connection.Config
 	CorsConfig                  cors.Config
@@ -133,6 +135,7 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor {
 			"Canary":                      canary.NewParser(cfg),
 			"CertificateAuth":             authtls.NewParser(cfg),
 			"ClientBodyBufferSize":        clientbodybuffersize.NewParser(cfg),
+			"CustomHeaders":               customheaders.NewParser(cfg),
 			"ConfigurationSnippet":        snippet.NewParser(cfg),
 			"Connection":                  connection.NewParser(cfg),
 			"CorsConfig":                  cors.NewParser(cfg),

internal/ingress/annotations/annotations_test.go

@@ -43,16 +43,20 @@ var (
 	annotationAffinityCookieName     = parser.GetAnnotationWithPrefix("session-cookie-name")
 	annotationUpstreamHashBy         = parser.GetAnnotationWithPrefix("upstream-hash-by")
 	annotationCustomHTTPErrors       = parser.GetAnnotationWithPrefix("custom-http-errors")
+	annotationCustomHeaders          = parser.GetAnnotationWithPrefix("custom-headers")
 )
 
 type mockCfg struct {
 	resolver.Mock
-	MockSecrets  map[string]*apiv1.Secret
-	MockServices map[string]*apiv1.Service
+	MockSecrets    map[string]*apiv1.Secret
+	MockServices   map[string]*apiv1.Service
+	MockConfigMaps map[string]*apiv1.ConfigMap
 }
 
 func (m mockCfg) GetDefaultBackend() defaults.Backend {
-	return defaults.Backend{}
+	return defaults.Backend{
+		AllowedResponseHeaders: []string{"Content-Type"},
+	}
 }
 
 func (m mockCfg) GetSecret(name string) (*apiv1.Secret, error) {
@@ -63,6 +67,10 @@ func (m mockCfg) GetService(name string) (*apiv1.Service, error) {
 	return m.MockServices[name], nil
 }
 
+func (m mockCfg) GetConfigMap(name string) (*apiv1.ConfigMap, error) {
+	return m.MockConfigMaps[name], nil
+}
+
 func (m mockCfg) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error) {
 	secret, err := m.GetSecret(name)
 	if err != nil {
@@ -317,3 +325,44 @@ func TestCustomHTTPErrors(t *testing.T) {
 		}
 	}
 }
+
+func TestCustomResponseHeaders(t *testing.T) {
+	mockObj := mockCfg{}
+	mockObj.MockConfigMaps = map[string]*apiv1.ConfigMap{}
+	mockObj.MockConfigMaps["custom-headers"] = &apiv1.ConfigMap{Data: map[string]string{"Content-Type": "application/json"}}
+	mockObj.MockConfigMaps["empty-custom-headers"] = &apiv1.ConfigMap{Data: map[string]string{}}
+
+	ec := NewAnnotationExtractor(mockObj)
+	ing := buildIngress()
+	fooAnns := []struct {
+		annotations map[string]string
+		headers     map[string]string
+	}{
+		{map[string]string{annotationCustomHeaders: "custom-headers"}, map[string]string{"Content-Type": "application/json"}},
+		{map[string]string{annotationCustomHeaders: "empty-custom-headers"}, map[string]string{}},
+		{nil, map[string]string{}},
+	}
+
+	for _, foo := range fooAnns {
+		ing.SetAnnotations(foo.annotations)
+		rann, err := ec.Extract(ing)
+		if err != nil {
+			t.Errorf("error should be null: %v", err)
+		}
+		r := rann.CustomHeaders.Headers
+
+		// Check that expected headers were created
+		for i := range foo.headers {
+			if r[i] != foo.headers[i] {
+				t.Errorf("Returned %v but expected %v", r, foo.headers)
+			}
+		}
+
+		// Check that no unexpected headers were created
+		for i := range r {
+			if r[i] != foo.headers[i] {
+				t.Errorf("Returned %v but expected %v", r, foo.headers)
+			}
+		}
+	}
+}

internal/ingress/annotations/customheaders/main.go

@@ -0,0 +1,124 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package customheaders
+
+import (
+	"fmt"
+	"regexp"
+
+	"k8s.io/klog/v2"
+
+	networking "k8s.io/api/networking/v1"
+
+	"golang.org/x/exp/slices"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
+	"k8s.io/ingress-nginx/internal/ingress/resolver"
+)
+
+// Config returns the custom response headers for an Ingress rule
+type Config struct {
+	Headers map[string]string `json:"headers,omitempty"`
+}
+
+var (
+	headerRegexp = regexp.MustCompile(`^[a-zA-Z\d\-_]+$`)
+	valueRegexp  = regexp.MustCompile(`^[a-zA-Z\d_ :;.,\\/"'?!(){}\[\]@<>=\-+*#$&\x60|~^%]+$`)
+)
+
+// ValidHeader checks is the provided string satisfies the header's name regex
+func ValidHeader(header string) bool {
+	return headerRegexp.MatchString(header)
+}
+
+// ValidValue checks is the provided string satisfies the value regex
+func ValidValue(header string) bool {
+	return valueRegexp.MatchString(header)
+}
+
+const (
+	customHeadersConfigMapAnnotation = "custom-headers"
+)
+
+var customHeadersAnnotation = parser.Annotation{
+	Group: "backend",
+	Annotations: parser.AnnotationFields{
+		customHeadersConfigMapAnnotation: {
+			Validator: parser.ValidateRegex(parser.BasicCharsRegex, true),
+			Scope:     parser.AnnotationScopeLocation,
+			Risk:      parser.AnnotationRiskMedium,
+			Documentation: `This annotation sets the name of a ConfigMap that specifies headers to pass to the client.
+			Only ConfigMaps on the same namespace are allowed`,
+		},
+	},
+}
+
+type customHeaders struct {
+	r                resolver.Resolver
+	annotationConfig parser.Annotation
+}
+
+// NewParser creates a new custom response headers annotation parser
+func NewParser(r resolver.Resolver) parser.IngressAnnotation {
+	return customHeaders{r: r, annotationConfig: customHeadersAnnotation}
+}
+
+func (a customHeaders) GetDocumentation() parser.AnnotationFields {
+	return a.annotationConfig.Annotations
+}
+
+// Parse parses the annotations contained in the ingress to use
+// custom response headers
+func (a customHeaders) Parse(ing *networking.Ingress) (interface{}, error) {
+	clientHeadersConfigMapName, err := parser.GetStringAnnotation(customHeadersConfigMapAnnotation, ing, a.annotationConfig.Annotations)
+	if err != nil {
+		klog.V(3).InfoS("client-headers annotation is undefined and will not be set")
+	}
+
+	var headers map[string]string
+	defBackend := a.r.GetDefaultBackend()
+
+	if clientHeadersConfigMapName != "" {
+		clientHeadersMapContents, err := a.r.GetConfigMap(clientHeadersConfigMapName)
+		if err != nil {
+			return nil, ing_errors.NewLocationDenied(fmt.Sprintf("unable to find configMap %q", clientHeadersConfigMapName))
+		}
+
+		for header, value := range clientHeadersMapContents.Data {
+			if !ValidHeader(header) {
+				return nil, ing_errors.NewLocationDenied("invalid header name in configmap")
+			}
+			if !ValidValue(value) {
+				return nil, ing_errors.NewLocationDenied("invalid header value in configmap")
+			}
+			if !slices.Contains(defBackend.AllowedResponseHeaders, header) {
+				return nil, ing_errors.NewLocationDenied(fmt.Sprintf("header %s is not allowed, defined allowed headers inside global-allowed-response-headers %v", header, defBackend.AllowedResponseHeaders))
+			}
+		}
+
+		headers = clientHeadersMapContents.Data
+	}
+
+	return &Config{
+		Headers: headers,
+	}, nil
+}
+
+func (a customHeaders) Validate(anns map[string]string) error {
+	maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
+	return parser.CheckAnnotationRisk(anns, maxrisk, customHeadersAnnotation.Annotations)
+}

internal/ingress/annotations/customheaders/main_test.go

@@ -0,0 +1,113 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package customheaders
+
+import (
+	"reflect"
+	"testing"
+
+	api "k8s.io/api/core/v1"
+	networking "k8s.io/api/networking/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	"k8s.io/ingress-nginx/internal/ingress/defaults"
+	"k8s.io/ingress-nginx/internal/ingress/resolver"
+)
+
+func buildIngress() *networking.Ingress {
+	return &networking.Ingress{
+		ObjectMeta: meta_v1.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: networking.IngressSpec{
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
+			},
+		},
+	}
+}
+
+type mockBackend struct {
+	resolver.Mock
+}
+
+// GetDefaultBackend returns the backend that must be used as default
+func (m mockBackend) GetDefaultBackend() defaults.Backend {
+	return defaults.Backend{
+		AllowedResponseHeaders: []string{"Content-Type", "Access-Control-Max-Age"},
+	}
+}
+
+func TestCustomHeadersParseInvalidAnnotations(t *testing.T) {
+	ing := buildIngress()
+	configMapResolver := mockBackend{}
+	configMapResolver.ConfigMaps = map[string]*api.ConfigMap{}
+
+	_, err := NewParser(configMapResolver).Parse(ing)
+	if err != nil {
+		t.Errorf("expected error parsing ingress with custom-response-headers")
+	}
+
+	data := map[string]string{}
+	data[parser.GetAnnotationWithPrefix("custom-headers")] = "custom-headers-configmap"
+	ing.SetAnnotations(data)
+	i, err := NewParser(&resolver.Mock{}).Parse(ing)
+	if err == nil {
+		t.Errorf("expected error parsing ingress with custom-response-headers")
+	}
+	if i != nil {
+		t.Errorf("expected %v but got %v", nil, i)
+	}
+}
+
+func TestCustomHeadersParseAnnotations(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[parser.GetAnnotationWithPrefix("custom-headers")] = "custom-headers-configmap"
+	ing.SetAnnotations(data)
+
+	configMapResolver := mockBackend{}
+	configMapResolver.ConfigMaps = map[string]*api.ConfigMap{}
+
+	configMapResolver.ConfigMaps["custom-headers-configmap"] = &api.ConfigMap{Data: map[string]string{"Content-Type": "application/json", "Access-Control-Max-Age": "600"}}
+
+	i, err := NewParser(configMapResolver).Parse(ing)
+	if err != nil {
+		t.Errorf("unexpected error parsing ingress with custom-response-headers: %s", err)
+	}
+	val, ok := i.(*Config)
+	if !ok {
+		t.Errorf("expected a *Config type")
+	}
+
+	expectedResponseHeaders := map[string]string{}
+	expectedResponseHeaders["Content-Type"] = "application/json"
+	expectedResponseHeaders["Access-Control-Max-Age"] = "600"
+
+	c := &Config{expectedResponseHeaders}
+
+	if !reflect.DeepEqual(c, val) {
+		t.Errorf("expected %v but got %v", c, val)
+	}
+}

internal/ingress/controller/config/config.go

@@ -888,6 +888,7 @@ func NewDefault() Configuration {
 			ProxyHTTPVersion:            "1.1",
 			ProxyMaxTempFileSize:        "1024m",
 			ServiceUpstream:             false,
+			AllowedResponseHeaders:      []string{},
 		},
 		UpstreamKeepaliveConnections:           320,
 		UpstreamKeepaliveTime:                  "1h",

internal/ingress/controller/controller.go

@@ -1504,6 +1504,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) {
 	loc.BasicDigestAuth = anns.BasicDigestAuth
 	loc.ClientBodyBufferSize = anns.ClientBodyBufferSize
+	loc.CustomHeaders = anns.CustomHeaders
 	loc.ConfigurationSnippet = anns.ConfigurationSnippet
 	loc.CorsConfig = anns.CorsConfig
 	loc.ExternalAuth = anns.ExternalAuth

internal/ingress/controller/template/configmap.go

@@ -31,6 +31,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/authreq"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/customheaders"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/controller/config"
 	ing_net "k8s.io/ingress-nginx/internal/net"
@@ -54,6 +55,7 @@ const (
 	nginxStatusIpv6Whitelist      = "nginx-status-ipv6-whitelist"
 	proxyHeaderTimeout            = "proxy-protocol-header-timeout"
 	workerProcesses               = "worker-processes"
+	globalAllowedResponseHeaders  = "global-allowed-response-headers"
 	globalAuthURL                 = "global-auth-url"
 	globalAuthMethod              = "global-auth-method"
 	globalAuthSignin              = "global-auth-signin"
@@ -115,6 +117,7 @@ func ReadConfig(src map[string]string) config.Configuration {
 	blockUserAgentList := make([]string, 0)
 	blockRefererList := make([]string, 0)
 	responseHeaders := make([]string, 0)
+	allowedResponseHeaders := make([]string, 0)
 	luaSharedDicts := make(map[string]int)
 	debugConnectionsList := make([]string, 0)
 
@@ -248,6 +251,22 @@ func ReadConfig(src map[string]string) config.Configuration {
 		}
 	}
 
+	// Verify that the configured global external authorization response headers are valid. if not, set the default value
+	if val, ok := conf[globalAllowedResponseHeaders]; ok {
+		delete(conf, globalAllowedResponseHeaders)
+
+		if val != "" {
+			harr := splitAndTrimSpace(val, ",")
+			for _, header := range harr {
+				if !customheaders.ValidHeader(header) {
+					klog.Warningf("Global allowed response headers denied - %s.", header)
+				} else {
+					allowedResponseHeaders = append(allowedResponseHeaders, header)
+				}
+			}
+		}
+	}
+
 	// Verify that the configured global external authorization method is a valid HTTP method. if not, set the default value
 	if val, ok := conf[globalAuthMethod]; ok {
 		delete(conf, globalAuthMethod)
@@ -422,6 +441,7 @@ func ReadConfig(src map[string]string) config.Configuration {
 	to.ProxyStreamResponses = streamResponses
 	to.DisableIpv6DNS = !ing_net.IsIPv6Enabled()
 	to.LuaSharedDicts = luaSharedDicts
+	to.Backend.AllowedResponseHeaders = allowedResponseHeaders
 
 	decoderConfig := &mapstructure.DecoderConfig{
 		Metadata:         nil,

internal/ingress/defaults/main.go

@@ -176,6 +176,9 @@ type Backend struct {
 	// By default, the NGINX ingress controller uses a list of all endpoints (Pod IP/port) in the NGINX upstream configuration.
 	// It disables that behavior and instead uses a single upstream in NGINX, the service's Cluster IP and port.
 	ServiceUpstream bool `json:"service-upstream"`
+
+	// AllowedResponseHeaders allows to define allow response headers for custom header annotation
+	AllowedResponseHeaders []string `json:"global-allowed-response-headers"`
 }
 
 type SecurityConfiguration struct {